Author: brooks
Date: Sat Nov 13 00:40:43 2010
New Revision: 215213
URL: http://svn.freebsd.org/changeset/base/215213
Log:
Add an (off by default) check for negative permissions (where the
group on a object has less permissions that everyone). These
permissions will not work reliably over NFS if you have more than
14 supplemental groups and are usually not what you mean.
MFC after: 1 week
Added:
head/etc/periodic/security/110.neggrpperm
- copied, changed from r213358, head/etc/periodic/security/100.chksetuid
Modified:
head/etc/defaults/periodic.conf
head/etc/periodic/security/Makefile
head/share/man/man5/periodic.conf.5
Modified: head/etc/defaults/periodic.conf
==============================================================================
--- head/etc/defaults/periodic.conf Fri Nov 12 22:59:50 2010
(r215212)
+++ head/etc/defaults/periodic.conf Sat Nov 13 00:40:43 2010
(r215213)
@@ -160,6 +160,9 @@ daily_status_security_diff_flags="-b -u"
# 100.chksetuid
daily_status_security_chksetuid_enable="YES"
+# 110.neggrpperm
+daily_status_security_neggrpperm_enable="NO"
+
# 200.chkmounts
daily_status_security_chkmounts_enable="YES"
#daily_status_security_chkmounts_ignore="^amd:" # Don't check
matching
Copied and modified: head/etc/periodic/security/110.neggrpperm (from r213358,
head/etc/periodic/security/100.chksetuid)
==============================================================================
--- head/etc/periodic/security/100.chksetuid Sat Oct 2 11:45:18 2010
(r213358, copy source)
+++ head/etc/periodic/security/110.neggrpperm Sat Nov 13 00:40:43 2010
(r215213)
@@ -35,23 +35,19 @@ then
source_periodic_confs
fi
-. /etc/periodic/security/security.functions
-
rc=0
-case "$daily_status_security_chksetuid_enable" in
+case "$daily_status_security_neggrpperm_enable" in
[Yy][Ee][Ss])
echo ""
- echo 'Checking setuid files and devices:'
+ echo 'Checking negative group permissions:'
MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
- find -sx $MP /dev/null -type f \
- \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
- \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
- check_diff setuid - "${host} setuid diffs:"
- rc=$?
- ;;
- *)
- rc=0
+ n=$(find -sx $MP /dev/null -type f \
+ \( \( ! -perm +010 -and -perm +001 \) -or \
+ \( ! -perm +020 -and -perm +002 \) -or \
+ \( ! -perm +040 -and -perm +004 \) \) \
+ -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
+ [ $n -gt 0 ] && rc=1 || rc=0
;;
esac
Modified: head/etc/periodic/security/Makefile
==============================================================================
--- head/etc/periodic/security/Makefile Fri Nov 12 22:59:50 2010
(r215212)
+++ head/etc/periodic/security/Makefile Sat Nov 13 00:40:43 2010
(r215213)
@@ -3,6 +3,7 @@
.include <bsd.own.mk>
FILES= 100.chksetuid \
+ 110.neggrpperm \
200.chkmounts \
300.chkuid0 \
400.passwdless \
Modified: head/share/man/man5/periodic.conf.5
==============================================================================
--- head/share/man/man5/periodic.conf.5 Fri Nov 12 22:59:50 2010
(r215212)
+++ head/share/man/man5/periodic.conf.5 Sat Nov 13 00:40:43 2010
(r215213)
@@ -482,6 +482,14 @@ Set to
.Dq Li YES
to compare the modes and modification times of setuid executables with
the previous day's values.
+.It Va daily_status_security_neggrpperm_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to check for files where the group of a file has less permissions than
+the world at large.
+When users are in more than 14 supplemental groups these negative
+permissions may not be enforced via NFS shares.
.It Va daily_status_security_chkmounts_enable
.Pq Vt bool
Set to
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
